More Consumers Suing After Healthcare Data Breaches
EXECUTIVE SUMMARY
Litigation related to data breaches appears to be on the rise. Healthcare organizations are sued more than other types of businesses.
- Hospitals and health systems are a favorite target for hackers.
- Healthcare organizations tend to recover faster than other industries.
- The threat of ransomware attacks provides an opportunity to become an enterprise risk manager.
Consumers are suing companies more often for data breaches that expose their private information, according to one law firm’s experience. Healthcare organizations are seeing the biggest increases in this type of litigation.
An analysis from BakerHostetler revealed healthcare comprised 23% of lawsuits it managed due to data breaches, followed by business and professional services at 17%, finance and insurance with 15%, education with 12%, and manufacturing with 10%.1
Healthcare companies also experienced the highest initial ransom demand from hackers and bad actors, with one reporting a demand of $8.3 million. Healthcare providers also paid the highest average ransom, $876,000.
The analysis shows healthcare organizations are one of the most favored targets for hackers, says Lynn Sessions, JD, partner with BakerHostetler in Houston. Before joining the firm, Sessions was risk manager at a prominent hospital for seven years.
Despite the healthcare industry’s determined and largely successful effort to improve data security in recent years, hospitals and health systems remain both appealing as targets and vulnerable to increasingly sophisticated attacks.
Healthcare organizations are attractive targets partly because hijacking their data networks can cause patient harm and death, rather than simply a financial loss. That pressure can push victims to give in to the hacker’s demands.
“We saw a significant increase for the past two and half years in ransomware attacks on healthcare,” Sessions says. “A ransomware attack is significant because if your network is unavailable, either because it has been encrypted or you’ve been advised to take it offline, it can keep you from caring for your patients. The hackers and bad actors know that and use it against you.”
Faster Time to Normal
On the bright side, the healthcare companies involved in data breach litigation reported the second-shortest average amount of time it took to return to normal operations — 6.1 days — compared to the energy and technology sector, which reported an average of 4.6 days.
“Any incident response discussion we have with a healthcare organization starts out with them asking how quickly they can get back to caring for their patients in a safe and effective manner,” Sessions says. “The second concern is about notification obligations under HIPAA.”
Some incidents involved the hacking of entire master patient indexes, Sessions notes. That meant all patients in the index had to be notified. For some large health systems, a ransomware attack might mean 5 million or 10 million patients must be notified.
Although it appears healthcare organizations are sued more for data breaches, Sessions does not believe it is because they are any worse than other industries at protecting consumer data or resisting online attacks. In fact, the healthcare industry does a better job of that than many other industries.
“The reason they’re being sued is because when a healthcare entity reports a breach, within a week the Office for Civil Rights publishes it on their wall of shame. The plaintiffs’ lawyers and the class action lawyers are looking for that,” Sessions explains. “While I understand their motivation for putting information out there, they are unwittingly helping the class action lawyers sue these organizations.”
The quest for better data security continues as hackers develop new methods. Sessions advises focusing on multifactor authentication, endpoint detection and response tools, patch management protocols, and robust backup plans.
Hospitals should carry cyber insurance that helps with the financial costs of a cyberattack. In the event of an incident, the risk manager probably will be the point of contact with the carrier.
“If the healthcare risk manager is not part of the incident response team for any kind of ransomware or other data attack, they should be. They are important to have at the table, partly because there could be patient safety implications to any of these events,” Sessions explains. “In some hospitals, the risk manager is the one leading the incident response team because they have an enterprise view of the organization.”
Become an Enterprise Risk Manager
Sessions says the threat of data breaches and subsequent litigation presents an opportunity for the risk manager to become the enterprise risk manager.
“A ransomware attack is probably the one single event an organization may face that represents an enterprise risk. It impacts operations, finances, reputation, patient care, your employees, regulatory, and litigation concerns down the road,” she says. “To the extent that a hospital risk manager has the ability to reach out to colleagues in IT, privacy and compliance, the chief nursing and medical officers — there is an opportunity for them to expand their influence in the organization.”
BakerHostetler provides this summary of other key findings from the report:
- “Attackers are resorting to double or triple extortion tactics. In an effort to increase pressure on organizations to pay a ransom, ransomware groups — in addition to encrypting files to cause an outage — threaten to publish stolen data and add other tactics such as distributed denial of service attacks to further disrupt operations.”
- “In 2021 ransomware matters, threat actors claimed to have stolen data 82% of the time. This is compared to 70% of the time in 2020, a continuation of a trend that first emerged late that year.”
- “The average ransom paid decreased to $511,957, roughly a 30% reduction from the average amount paid in 2020; this was the first drop after years of increases. Organizations took longer to pay, paying after eight days (median) compared with five days in 2020. This mostly reflects better business continuity practices; organizations were more often able to restore from backups and were paying to prevent publication so negotiations can be stretched out.”
REFERENCE
- BakerHostetler. Digital assets and data management — resilience and perseverance. 2022.
SOURCE
- Lynn Sessions, JD, Partner, BakerHostetler, Houston. Phone: (713) 646-1352. Email: [email protected].
Consumers are suing companies more often for data breaches that expose their private information, according to one law firm’s experience. Healthcare organizations are seeing the biggest increases in this type of litigation.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.